News Stay informed about the latest enterprise technology news and product updates.

Expert: Information security spending often restricts innovation

In the opening keynote at the Black Hat USA 2009 conference, a former Google executive urged security pros to stop spending money on technologies that place restrictions on employees and instead empower end users to be security aware.

LAS VEGAS -- According to a former security researcher and engineer, enterprise security spending has become excessive because business executives don't understand how to calculate risk. At the same time, security professionals drive excessive security spending by implementing technologies that hinder employee productivity, which could ultimately hurt a company's bottom line.

CEOs are writing checks blindly, said Douglas Merrill, former chief information officer and vice president of engineering at Google Inc., and currently the president at music label EMI Group Ltd. One in three executives fund security budgets every year and have no idea why, he told attendees in his keynote presentation that kicked off Black Hat USA 2009.

Black Hat 2009 has all the news and newsmakers at the annual hacker conference. Visit our Black Hat 2009 news page.
"Everybody listens to security officers," Merrill said. "Executives are in fact terrified by us."

Merrill, a former security researcher and engineer at the Rand Corp., a nonprofit policy think tank, pointed out that security budgets were relatively immune to the economic downturn, with surveys showing some increasing as much as 5% or more. Security pros continually push for more funding, often stressing the need to avoid data breaches or the importance of completing ongoing compliance initiatives. Exhausted executives usually write a blank check, he said, despite security pros complaining that they're not being adequately funded. "They're practically paving our offices with gold now, and we're still unhappy," Merrill said.

He urged security professionals to loosen restrictions that could hinder innovation at many companies. Merrill pointed out a recent study conducted by Fortune magazine on the best places to work. Overwhelmingly, employees were most productive when they felt free of restrictions.

"Employees felt most satisfied and more productive by having the freedom to innovate and feeling involved in their company," Merrill said.

Even executives with security backgrounds are sometimes hindered by restrictive policies. At EMI, Merrill admitted violating a company information security policy, pointing out that he had an assistant move his schedule onto Google Calendar so he could bypass restrictions and easily access it when he travels. Security professionals need to learn from firms that cater their technologies for consumers -- ease of use directly affects a company's bottom line, he said. In many cases, according to Merrill, consumer technologies are better than technologies in the enterprise.

Many data breaches are happening because of silly mistakes, such as employees throwing out sensitive data instead of shredding it, yet, according to the former Google CIO, companies are investing millions of dollars in new technologies that monitor employees and cut off access to data and systems. Companies are turning to automation to eliminate human error, but Merrill referred to Google's engineering processes and its encouraging atmosphere as a proper model.

For more information
Read more about protecting security budgets in a tight economy.

Data breach fines are the last place security teams want to spend money. Learn how to prevent them.
"Our security team and engineering team built security into the infrastructure itself," Merrill said, emphasizing how Google's lack of restrictions encouraged better technology. "We didn't' have AV running on endpoints. We had it running on the mail server."

When he was at Google, he said systems monitored traffic for abnormalities. Alerts were logged and flagged for attention and addressed with minimal disruption.

Google didn't control its engineers' work environment, and as a result, encouraged new, more secure processes. "[Employees] shouldn't feel like they're criminals for being innovative. … If we want to keep our jobs and be generally happy, we have to find a way to help employees innovate."

"We have to make it so security is not a problem," Merrill said.

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.